Comment Re:Call me stupid, but this makes no sense to me. (Score 1) 266
1) STACK grows down
y [RET] ; 32 bit return address pushed on call to function
y-4 [...] ; misc stack contents
y-n [var] ; ASCII overflowable local variable
2) Overflow grows up
overflow ascii string = len(var) + len(...) + "\1\0\0\0"
y ["\0"]
y-1 ["\0"]
y-2 ["\0"]
y-3 ["\1"]
y-4 [len(...)]
y-n [len(var)]
3) Contents of bytes [y-3, y] form in little endian : 0x01000000
4) 0x01000000 equals 16M, this is the lowest address ascii overflow can reach
